3.12.4 — Maintain the SSP

The One-Liner

The SSP is your assessor’s map. If it’s wrong, they get lost — and you get findings.

What It Says

Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.

What It Actually Means

The SSP is the single most important document for your CMMC assessment. It describes: your CUI boundary (what’s in scope), the environment (systems, network, people), how each of the 110 security requirements is implemented (not generic — specific to your environment), and connections to other systems (cloud services, client networks, vendor access). It must be current — updated within 30 days of significant changes and reviewed at least annually. An absent or outdated SSP at assessment time is grounds for assessment failure.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is an SSP developed?	Complete SSP document exists
2	Is the system boundary described?	CUI boundary clearly defined with network diagram and asset list
3	Is the environment described?	Systems, people, locations, and operational context documented
4	Are non-applicable requirements identified?	Any N/A requirements documented with justification approved by designated authority
5	Is implementation described?	Each requirement has a specific, environment-specific implementation description
6	Are connections described?	All external connections documented: cloud services, client networks, vendor access
7	Is update frequency defined?	Policy: reviewed annually, updated within 30 days of changes
8	Is the SSP updated per the defined frequency?	Version history showing recent updates; last review date within 12 months

---

What to Have Ready on Assessment Day

Documents they’ll review: Security planning policy; system security plan (complete document); SSP version history and change log; network diagrams; CUI boundary documentation; system inventory

People they’ll talk to: Personnel with security assessment responsibilities; information security personnel; management with oversight

Live demos they’ll ask for: “Show me your SSP.” “Walk me through the CUI boundary section.” “When was it last updated? Show me the version history.” “Does it match your actual environment?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your SSP. When was it last updated?”
• “Walk me through the CUI boundary — what’s in scope?”
• “Show me how you describe the implementation of [specific requirement].”
• “What connections exist to external systems?”
• “Are any requirements marked N/A? Show me the justification.”
• “Does the SSP match your actual environment?”

Real-World Example

A defense contractor’s SSP is a 60-page document covering all 110 requirements. The CUI boundary section includes a network diagram showing the CUI VLAN, firewall boundaries, cloud services (M365 GCC High, Azure), and VPN connections. Each requirement has an implementation description specific to their environment — not generic boilerplate. For example, AC.L2-3.1.1 describes: ‘User access managed via Entra ID with quarterly access reviews. Device access enforced via Intune compliance policies. Service accounts documented in ITSM with named owners.’ The SSP is version-controlled in SharePoint with a revision log. Last updated: three weeks ago after deploying a new backup solution. The assessor reads the SSP before arriving and uses it as the roadmap for the entire assessment.

---

Where Companies Trip Up

No SSP. This is the most critical document. Without it, the assessment cannot proceed.

Stale SSP. Written a year ago and not updated despite environment changes. Update within 30 days of significant changes.

Template/boilerplate. Generic descriptions that don’t match your actual environment. The SSP must be specific to your implementation.

Doesn’t match reality. Describes controls that aren’t implemented. The assessor will verify SSP claims against your actual environment.

---

How to Talk About This

To a CEO or Board

Our SSP is complete, current, and specific to our environment. It’s the roadmap for our security posture — updated within 30 days of any change and reviewed annually.

To an Engineering Team

SSP in SharePoint, version-controlled. Updated within 30 days of changes. Annual full review. Covers: CUI boundary (network diagram + asset list), environment description, all 110 requirements with implementation-specific descriptions, connections to external systems. N/A items documented with justification.

---

Connected Requirements

Requirement	Why it matters here
3.12.1 — Test Your Controls	Self-assessment validates what the SSP claims
3.12.3 — Monitor Continuously	Continuous monitoring may reveal SSP updates needed
3.4.3 — Control Every Change	Changes may trigger SSP updates

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: CA.L2-3.12.4 | SPRS Weight: 1 point | POA&M Eligible: Yes